Using Privacy Policy as a Poison Pill

Privacy policy serves a variety of purposes. In most instances, the person being protected is the subject of a record maintained by a third-party record keeper. Privacy policy also provides guidance and some protections for record keepers by defining the scope of their processing obligations.

I have a new purpose for privacy policy to share with you. It has little to do with protecting data subjects and a lot to do with protecting corporate interests for companies whose businesses rely on the collection, use and maintenance of large amounts of personal data about customers. Understand that my idea is strictly speculative.

To begin, you have to understand the concept known in the securities world as a "poison pill." A poison pill is a device designed to prevent a hostile takeover of a company. The usual way that poison pills work is through the issuance of new preferred shares to existing shareholders. These shares have redemption features that make an acquisition unattractive to a new owner. Other forms of poison pills have been developed.

Can a privacy policy serve as a poison pill? I got the idea from the recent flap involving Toysmart.com. Toysmart was an Internet company that went bankrupt last year. One of its assets was its customer list. The sale of the list was thought to be one way to raise money to pay off creditors.

The problem was that the company had adopted an unsuitably narrow privacy policy. It said that information about registered users would never be shared with a third party. This type of unqualified statement is dumb for several reasons. First, anyone with records can be served with a subpoena. Second, most companies use outsiders to provide essential functions, such as legal, accounting or computer services. The sharing of data with these outsiders can be essential. Third, records may need to be transferred as a result of a sale of the business or a bankruptcy.

The proposed Toysmart list sale provoked a storm of legal activity. The Federal Trade Commission and state attorneys general filed lawsuits to block the sale. Eventually, Disney, Toysmart's owner, bought the list without any intention of actually using it.

A secondary result of the Toysmart controversy was the introduction of an amendment to the Bankruptcy Act that would address the sale of customer lists by bankrupt companies. The amendment, offered by Sen. Patrick Leahy, D-VT, was intended to stop bankruptcy from providing an excuse for ignoring established privacy policies. The amendment is still pending.

The problem of privacy and corporate transfers is more interesting outside the bankruptcy setting, and this is where the poison pill idea applies. If a company is in a business that is information-intensive, with large amounts of personal data essential to its business activities, it is possible to write a privacy policy that might prevent a hostile takeover.

If the company's customer records represent a significant part of the value of the company, a potential corporate raider would think twice if a hostile takeover resulted in purchase of the company but not access to the customer records. No one would pay a premium for a company without the ability to contact its existing customers. The principle is the same, by the way, for business customers and consumer customers.

The issue here is broader than fighting off a hostile takeover. Any company may decide to sell itself to another. Mergers and acquisitions happen all the time. After the Toysmart debacle, everyone is on notice that a privacy policy should address corporate transfer issues. A good privacy policy will facilitate a reasonable transfer in a manner that allows the companies to conduct their business without interfering with the privacy interests of customers.

But suppose that you want to protect your company. You might write a privacy policy that prevented the transfer of records in case of a hostile takeover but not in case of a friendly merger or sale. An alternative is to have a privacy policy that restricts certain uses of data that would be attractive to others.

Consider, for example, a privacy policy that required the consent of customers for the transfer of their records to a new owner. If a new owner had to get customers to reregister, the likelihood is that an overwhelming percentage would refuse to do so. The customers might not care who the corporate owner is, but inertia might be enough to stop them from giving affirmative consent.